ERISA does not mandate a written cybersecurity or financial information policy, and there is no one-size-fits-all approach that must be taken. Instead, a plan sponsor must act prudently. The easiest way to show that a plan sponsor has followed a prudent process is to document that process. Creating any prescriptive document beyond those required by ERISA can carry significant challenges and risks, so cybersecurity documents should focus on process items rather than attempting to lay out any hard and fast rules.
The process of assessing security is further complicated by a destructive information cycle. Recordkeepers have significant incentives to reveal only a limited amount of information about their cyber defenses because hackers can learn from extensive revelations and adapt their methods to avoid detection. This means that recordkeepers often rationally respond with only limited information about cyberattacks and security.
Plan sponsors should consider:
- A process for addressing and fixing cybersecurity issues; for example, identify possible gaps in security in the information sharing process with TPAs and recordkeepers.
- Ensure that the appropriate level of cyber liability insurance is in place (both the employer and vendors) to help mitigate the damage of any potential attack and be sure that such coverage is as broad as possible.
- Document the process for moving plan data, maintain a data inventory, retain only data needed and if data elements can be redacted, do so.
- Delete records that are no longer necessary and make sure providers do the same.
- Consider retaining an outside firm that specializes in cybersecurity for retirement plans to ensure participants’ data is secure through periodic audits.
- Thoroughly vet service providers and negotiate contract provisions to lower or mitigate the cost of correcting a possible cyberattack on a plan by allocating responsibility to the vendor.
- Request a copy of a provider’s Report on Controls SOC-II, an audit report describing an organization’s internal controls and attesting to their strength.
- Plan fiduciaries should review their providers’ SOC reports and make sure that the reliance that the recordkeeper is placing on the client for their “part” is understood and in place.
- Implement processes and controls to restrict access to plan systems, applications, data and other sensitive information.
- Develop a retirement plan specific cybersecurity risk management strategy – in short, have a plan in place to address your response to a breach (including appropriate notices and remediation efforts).
- Consider requiring 2-factor authentication to access participant accounts.
Plan sponsors should encourage plan participants to:
- Set up an online account. Without an online account, the participant’s vulnerability to fraud is greatly increased, because it allows hackers to set up new online accounts and gain access to a participant’s funds.
- Choose strong passwords that are hard to guess.
- Change their passwords frequently.
- Store passwords with care – do not leave passwords on desk, table or counter for others to see.
- Log out completely from any plan related web or intranet site.
Cyber and Fiduciary Insurance
Fiduciary insurance is typically triggered when a lawsuit is filed or regulatory investigation is commenced (or sometimes when a regulator asserts a deficiency), while cyber insurance is often triggered by a data breach. Existing fiduciary insurance may help after a lawsuit is filed, but prior to that point, the plan and/or plan sponsor may be responsible for the costs and mechanics associated with a breach (depending on the terms of the insurance policy). These include finding, hiring, and paying for experts to assess the scope of the breach and develop a mitigation plan, as well as finding the capacity to notify and respond to participant inquiries regarding an incident.
Plan sponsors may wish to seek specific cyber insurance policies or riders to existing policies (some of which are available in the market today) to cover their employee benefit plan(s). Policies that provide benefits upon a breach can offer assistance in locating the appropriate personnel to address each step of the process: from determining the scope of the breach, to notifying the appropriate individuals or entities, to providing resources to mitigate, or making whole any damages suffered as a result of the breach, such as identity monitoring or replacing stolen assets.
The cybersecurity environment for retirement plans is undergoing significant evolution, and this evolution will accelerate. While the precise fiduciary obligations of plan sponsors with respect to plan and participant information are not yet clearly defined, it is clear that multiple efforts are underway to define those obligations and to respond to the increasing need to strengthen protections. Presently, the SEC, the DOL, multiple states, and key industry organizations like SPARK and the ERISA Advisory Council are working to regulate cybersecurity and develop increased protections.
SPARK’s Industry Best Practices for provider data security reporting
||Risk Assessment and Treatment
||The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals
||Technology risk assessments are completed
||Organizational information security policy is established
||Security policies are approved and communicated
||Information security roles & responsibilities are coordinated and aligned with internal roles and external partners
||A CISO or ISO has been assigned
||The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy
||IT application records are maintained in a formal system of record
||Human Resource Security
||The organization’s personnel and partners are suitable for the roles they are considered for, are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements
||Personnel are subject to initial and periodic background checks
||Physical and Environmental Security
||Physical access to assets is managed and protected
||Data centers are secured 24x7x365 with on-site physical security controls
||Communications and Operations Management
||Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements
||Networks and systems include standard data security tools such as firewalls, antivirus, intrusion detection, and patch management.
||Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
||Unique, complex passwords are assigned to all employees
||Information Systems Acquisition Development
||A system development life cycle (SDLC) to manage systems is implemented; a vulnerability management plan is developed and implemented and vulnerability scans are performed.
||Regular penetration tests are conducted on customer facing applications
||Incident and Event Communications Management
||Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
||Cyber incident procedures are documented and routinely tested
||Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
||The organization maintains and tests BCP and DR plans
||Legal requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
||Policies and procedures are in place to enforce applicable privacy obligations
||A formal policy shall be in place and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communication facilities
||A mobile policy is approved and enforced
||Data-at-rest is protected and Data-in-transit is protected.
||External transmissions are encrypted using FIPS approved algorithms
||Ensure protection of the organization’s assets that is accessible by suppliers
||Suppliers are subject to periodic security reviews
||Ensure protection of the organization’s assets that are stored or processed in cloud environments
||Cloud providers are subject to periodic security reviews or can provide independent security assessments of their environment
Industry Best Practice Data Security Reporting. The SPARK Institute, Inc.
Benefit Plan Cybersecurity Considerations: A Recordkeeper and Plan Perspective.
Pension Research Council.
Securing a successful HR and benefits technology strategy. Arthur J. Gallagher & Co. Human Capital Insights Report.
Vanderbilt 403(b) excessive fee case settlement goes beyond monetary relief. Arthur J. Gallagher & Co. Retirement Plan Consulting Practice whitepaper.
Cyber Security and Retirement Plans. Retirement Learning Center.
This material was created to provide accurate and reliable information on the subjects covered, but should not be regarded as a complete analysis of these subjects. It is not intended to provide specific legal, tax or other professional advice. The services of an appropriate professional should be sought regarding your individual situation.
Gallagher Benefit Services, Inc., a subsidiary of Arthur J. Gallagher & Co., (Gallagher) is a non-investment firm that provides employee benefit and retirement plan consulting services to employers. Securities may be offered through Kestra Investment Services, LLC, (Kestra IS), member FINRA/SIPC. Investment advisory services may be offered through Kestra Advisory Services, LLC (Kestra AS), an affiliate of Kestra IS. Certain appropriately licensed individuals of Gallagher are registered to offer securities through Kestra IS or investment advisory services through Kestra AS. Neither Kestra IS nor Kestra AS are affiliated with Gallagher. Neither Kestra IS, Kestra AS, Gallagher, their affiliates nor representatives provide accounting, legal or tax advice. GBS/Kestra-CD(327886)(exp092020)